Skip to content

Commit

Permalink
Deduplicate github actions
Browse files Browse the repository at this point in the history
We have multiple github actions that run e2e tests and share a
significant amount of logic.

We'll add reusable actions, making the workflows much easier to
maintain.
  • Loading branch information
petrutlucian94 committed Dec 11, 2024
1 parent 50bc0b9 commit 17f4d07
Show file tree
Hide file tree
Showing 10 changed files with 347 additions and 307 deletions.
51 changes: 51 additions & 0 deletions .github/workflows/build-snap.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
name: Build k8s-snap

on:
workflow_call:
inputs:
flavor:
description: k8s-snap flavor (e.g. moonray or strict)
type: string
outputs:
snap-artifact:
description: Name of the uploaded snap artifact
value: ${{ jobs.build-snap.outputs.snap-artifact }}

jobs:
build-snap:
name: Build snap
runs-on: ubuntu-20.04
outputs:
snap-artifact: ${{ steps.build.outputs.snap-artifact }}
steps:
- name: Checking out repo
uses: actions/checkout@v4
- name: Apply patches
if: ${{ inputs.flavor }} != ""
run: |
./build-scripts/patches/${{ inputs.flavor }}/apply
- name: Install lxd
uses: ./.github/workflows/install-lxd.yaml
- name: Install snapcraft
run: |
sudo snap install snapcraft --classic
- name: Build snap
id: build
env:
flavor: ${{ inputs.flavor }}
run: |
if [[ -n "$flavor" ]]; then
out_snap=k8s-$flavor.snap
else
out_snap=k8s.snap
fi
sg lxd -c 'snapcraft --use-lxd'
mv k8s_*.snap $out_snap
echo "snap-artifact=$out_snap" >> "$GITHUB_OUTPUT"
- name: Uploading snap
uses: actions/upload-artifact@v4
with:
name: ${{ steps.build.outputs.snap-artifact }}
path: ${{ steps.build.outputs.snap-artifact }}
47 changes: 4 additions & 43 deletions .github/workflows/cron-jobs.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -81,46 +81,7 @@ jobs:
- { branch: release-1.30, channel: 1.30-classic/edge }
- { branch: release-1.31, channel: 1.31-classic/edge }

steps:
- name: Checking out repo
uses: actions/checkout@v4
with:
ref: ${{matrix.branch}}
- name: Setup Trivy vulnerability scanner
run: |
mkdir -p sarifs
VER=$(curl --silent -qI https://github.com/aquasecurity/trivy/releases/latest | awk -F '/' '/^location/ {print substr($NF, 1, length($NF)-1)}');
wget https://github.com/aquasecurity/trivy/releases/download/${VER}/trivy_${VER#v}_Linux-64bit.tar.gz
tar -zxvf ./trivy_${VER#v}_Linux-64bit.tar.gz
- name: Run Trivy vulnerability scanner in repo mode
uses: aquasecurity/trivy-action@master
with:
scan-type: "fs"
ignore-unfixed: true
format: "sarif"
output: "trivy-k8s-repo-scan--results.sarif"
severity: "MEDIUM,HIGH,CRITICAL"
env:
TRIVY_DB_REPOSITORY: "public.ecr.aws/aquasecurity/trivy-db"
- name: Gather Trivy repo scan results
run: |
cp trivy-k8s-repo-scan--results.sarif ./sarifs/
- name: Run Trivy vulnerability scanner on the snap
run: |
snap download k8s --channel ${{ matrix.channel }}
mv ./k8s*.snap ./k8s.snap
unsquashfs k8s.snap
for var in $(env | grep -o '^TRIVY_[^=]*'); do
unset "$var"
done
./trivy --db-repository public.ecr.aws/aquasecurity/trivy-db rootfs ./squashfs-root/ --format sarif > sarifs/snap.sarif
- name: Get HEAD sha
run: |
SHA="$(git rev-parse HEAD)"
echo "head_sha=$SHA" >> "$GITHUB_ENV"
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: "sarifs"
sha: ${{ env.head_sha }}
ref: refs/heads/${{matrix.branch}}
uses: ./.github/workflows/security-scan.yaml
with:
channel: ${{ matrix.channel }}
checkout-ref: ${{ $matrix.branch }}
47 changes: 47 additions & 0 deletions .github/workflows/download-k8s-snap.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
name: Download k8s-snap

inputs:
# Download k8s-snap using either a GH action artifact or a snap channel.
artifact:
description: The name of a GH action artifact.
type: string
channel:
description: k8s snap channel.
type: string
output-file:
description: The *.snap destination path.
type: string
required: true

runs:
using: "composite"
steps:
- name: Exit if no input provided
if: ${{ inputs.artifact }} == '' && ${{ inputs.channel }} == ''
run: |
echo "No k8s-snap artifact or channel specified..."
exit 1
- name: Exit if multiple inputs provided
if: ${{ inputs.artifact }} != '' && ${{ inputs.channel }} != ''
run: |
echo "Received snap artifact AND snap channel."
exit 1
- name: Create destination dir.
run: mkdir -p $(dirname ${{ inputs.output-file }})

- name: Download snap artifact
if: ${{ inputs.artifact }} != ''
uses: actions/download-artifact@v4
with:
name: ${{ inputs.artifact }}
path: ${{ github.workspace }}
- name: Move snap artifact.
if: ${{ inputs.artifact }} != ''
run: mv ${{ github.workspace }}/${{ inputs.artifact }} ${{ inputs.output-file }}

- name: Download snap channel
if: ${{ inputs.artifact }} != ''
run: |
cd $(dirname ${{ inputs.output-file }})
snap download k8s --channel=${{ inputs.channel }} --basename k8s
mv k8s.snap ${{ inputs.output-file }}
36 changes: 36 additions & 0 deletions .github/workflows/get-e2e-test-tags.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
name: Get e2e test tags

on:
workflow_call:
outputs:
test-tags:
description: The filter tags to use when running e2e tests
value: ${{ jobs.get-tags.outputs.test-tags }}

jobs:
get-tags:
name: Build snap
runs-on: ubuntu-latest
outputs:
test-tags: ${{ steps.get-tags.outputs.snap-artifact }}
steps:
- name: Checking out repo
uses: actions/checkout@v4

- name: Build snap
id: get-tags
run: |
tags="pull_request"
if ${{ github.event_name == 'pull_request' }}; then
# Run all tests if there are test changes. In case of a PR, we'll
# get a merge commit that includes all changes.
if git diff HEAD HEAD~1 --name-only | grep "tests/"; then
tags="up_to_weekly"
fi
# Run all tests on backports.
if echo ${{ github.base_ref }} | grep "release-"; then
tags="up_to_weekly"
fi
fi
echo "test-tags=$tags" >> "$GITHUB_OUTPUT"
17 changes: 17 additions & 0 deletions .github/workflows/install-lxd.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
name: Install lxd

runs:
using: "composite"
steps:
- name: Install lxd snap
run: |
sudo snap refresh lxd --channel 5.21/stable
- name: Initialize lxd
run:
sudo lxd init --auto
sudo usermod --append --groups lxd $USER
sg lxd -c 'lxc version'
- name: Apply Docker iptables workaround
run:
sudo iptables -I DOCKER-USER -i lxdbr0 -j ACCEPT
sudo iptables -I DOCKER-USER -o lxdbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
93 changes: 18 additions & 75 deletions .github/workflows/integration-informing.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -16,89 +16,32 @@ permissions:
contents: read

jobs:
build:
build-snap:
name: Build ${{ matrix.patch }}
runs-on: ubuntu-20.04
uses: ./.github/workflows/build-snap.yaml
id: build-snap
strategy:
matrix:
patch: ["moonray"]
fail-fast: false
steps:
- name: Checking out repo
uses: actions/checkout@v4
- name: Install lxd
run: |
sudo snap refresh lxd --channel 5.21/stable
sudo lxd init --auto
sudo usermod --append --groups lxd $USER
sg lxd -c 'lxc version'
- name: Install snapcraft
run: |
sudo snap install snapcraft --classic
- name: Apply ${{ matrix.patch }} patch
run: |
./build-scripts/patches/${{ matrix.patch }}/apply
- name: Build snap
run: |
sg lxd -c 'snapcraft --use-lxd'
mv k8s_*.snap k8s-${{ matrix.patch }}.snap
- name: Uploading snap
uses: actions/upload-artifact@v4
with:
name: k8s-${{ matrix.patch }}.snap
path: k8s-${{ matrix.patch }}.snap
with:
flavor: ${{ matrix.patch }}

get-e2e-test-tags:
name: "Get e2e test tags"
uses: ./.github/workflows/get-e2e-test-tags.yaml

test-integration:
needs: [ build ]
name: Test ${{ matrix.patch }} ${{ matrix.os }}
name: Test ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
os: ["ubuntu:20.04"]
patch: ["moonray"]
fail-fast: false
runs-on: ["self-hosted", "Linux", "AMD64", "jammy", "large"]
steps:
- name: Check out code
uses: actions/checkout@v4
- name: Setup Python
uses: actions/setup-python@v5
with:
python-version: '3.10'
- name: Install tox
run: pip install tox
- name: Install lxd
run: |
sudo snap refresh lxd --channel 5.21/stable
sudo lxd init --auto
sudo usermod --append --groups lxd $USER
sg lxd -c 'lxc version'
sudo iptables -I DOCKER-USER -i lxdbr0 -j ACCEPT
sudo iptables -I DOCKER-USER -o lxdbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
- name: Download snap
uses: actions/download-artifact@v4
with:
name: k8s-${{ matrix.patch }}.snap
path: ${{ github.workspace }}/build
- name: Apply ${{ matrix.patch }} patch
run: |
./build-scripts/patches/${{ matrix.patch }}/apply
- name: Run end to end tests
env:
TEST_SNAP: ${{ github.workspace }}/build/k8s-${{ matrix.patch }}.snap
TEST_SUBSTRATE: lxd
TEST_LXD_IMAGE: ${{ matrix.os }}
TEST_FLAVOR: ${{ matrix.patch }}
TEST_INSPECTION_REPORTS_DIR: ${{ github.workspace }}/inspection-reports
run: |
cd tests/integration && sg lxd -c 'tox -e integration -- --tags pull_request'
- name: Prepare inspection reports
if: failure()
run: |
tar -czvf inspection-reports.tar.gz -C ${{ github.workspace }} inspection-reports
echo "artifact_name=inspection-reports-${{ matrix.os }}-${{ matrix.patch }}" | sed 's/:/-/g' >> $GITHUB_ENV
- name: Upload inspection report artifact
if: failure()
uses: actions/upload-artifact@v4
with:
name: ${{ env.artifact_name }}
path: ${{ github.workspace }}/inspection-reports.tar.gz
needs: build
uses: ./.github/workflows/run-e2e-tests.yaml
with:
arch: amd64
os: ${{ matrix.os }}
test-tags: ${{ jobs.get-e2e-test-tags.outputs.test-tags}}
artifact: k8s-${{ matrix.patch }}.snap
Loading

0 comments on commit 17f4d07

Please sign in to comment.